My first kernel hijacking code
Hijack the kernel function kzalloc
1 #include <linux/kernel.h>
2 #include <linux/module.h>
3 #include <linux/slab.h>
4 #include <asm/string.h>
5 #include <asm/unistd.h>
6 #include <linux/fs.h>
7 #include <linux/sched.h>
8 #include <linux/smp_lock.h>
9
10
11
12 #define CODESIZE 7
13
14 static void *(*orig_kzalloc)(size_t size, gfp_t flags);
15
16 static char orig_kzalloc_code[7];
17 static char kzalloc_code[7] =
18 "\xb8\x00\x00\x00\x00"
19 "\xff\xe0";
20
21/*
22 __asm__(
23 "mov $0, %eax\n\t"
24 "jmp *%eax"
25 );
26*/
27
28 static void disable_wp(void)
29 {
30 unsigned int cr0_value;
31
32 asm volatile ("movl %%cr0, %0" : "=r" (cr0_value));
33
34 /* Disable WP */
35 cr0_value &= ~(1 << 16);
36
37 asm volatile ("movl %0, %%cr0" :: "r" (cr0_value));
38
39 }
40
41 static void enable_wp(void)
42 {
43 unsigned int cr0_value;
44
45 asm volatile ("movl %%cr0, %0" : "=r" (cr0_value));
47 /* Enable WP */
48 cr0_value |= (1 << 16);
49
50 asm volatile ("movl %0, %%cr0" :: "r" (cr0_value));
51
52 }
53
54 void * _memcpy(void *dest, const void *src, int size)
55 {
56 const char *p = src;
57 char *q = dest;
58 int i;
59 for (i=0; i<size; i++) *q++ = *p++;
60 return dest;
61 }
62
63 void * _kzalloc(size_t size, gfp_t flags)
64 {
65 return NULL;
66 }
67
68 static int __init hook_init(void)
69 {
70 *(long *)&kzalloc_code[1] = (long)_kzalloc;
71 orig_kzalloc = 0xc14eda0b;
72
73 disable_wp();
74 _memcpy(orig_kzalloc_code, orig_kzalloc, CODESIZE);
75 _memcpy(orig_kzalloc, kzalloc_code, CODESIZE);
76 enable_wp();
77
78 return 0;
79 }
80
81 static void __exit hook_exit(void)
82 {
83 disable_wp();
84 _memcpy(orig_kzalloc, orig_kzalloc_code, CODESIZE);
85 enable_wp();
86 }
87
88 MODULE_DESCRIPTION("Kernel hijack - kernel hook example");
90 MODULE_LICENSE("GPL");
91
92 module_init(hook_init);
93 module_exit(hook_exit);
46
89 MODULE_AUTHOR("kernel hacker");
参考文献:
Silvio - Kernel function hijacking (Function trampolines) :: http://vxheavens.com/lib/vsc08.html
动态替换Linux核心函数的原理和实现 :: http://www.ibm.com/developerworks/cn/linux/l-knldebug/
Kernel instrumentation using kprobes :: http://www.phrack.org/issues.html?issue=67&id=6#article
——————– Makefile —————-
obj-m := kt-hook.o
KDIR := /lib/modules/`uname -r`/build
PWD := $(shell pwd)
default:
$(MAKE) -C $(KDIR) SUBDIRS=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean